EPIC Alert 21.20
E P I C A l e r t
Volume 21.20 October 29, 2014
Published by the
Electronic Privacy Information Center (EPIC)
"Defend Privacy. Support EPIC."
Table of Contents
 Obama Issues Executive Order to Strengthen Consumer Privacy
 EPIC Urges Transportation Department to Protect Driver Privacy
 EPIC Recommends Research on 'Privacy Enhancing Technologies'
 EPIC, 49 Other Organizations Urge Obama to Update FOIA
EPIC Spotlight: Domestic Drones, Surveillance and Privacy Risks
 News in Brief
 EPIC in the News
 EPIC Bookstore
Conferences and Events
TAKE ACTION: Rock the Freedom of Information Act with FOIA.ROCKS!
VISIT EPIC's New FOIA Domain: http://foia.rocks
TWEET in Support of FOIA: #FOIAat40
LEARN about EPIC's FOIA Work: https://epic.org/foia/
SUPPORT EPIC: https://epic.org/support/
 Obama Issues Executive Order to Strengthen Consumer
President Obama has signed an Executive Order
called "Improving the
Security of Consumer Financial Transactions." The Order will mandate
enhanced security features for government
financial transactions, and
require that "executive departments and agencies (agencies) shall, as
soon as possible, transition
payment processing terminals and credit,
debit, and other payment cards to employ enhanced security features,
technology," which has greatly reduced financial
fraud and identity crimes in Europe.
The White House also made public a series
of measures to safeguard
consumer financial security. The Federal Trade Commission will be
responsible for implementing IdentityTheft.gov,
a website providing "a
new one-stop resource for victims" of identity theft. The National
Security Council Staff, Office of Science
and Technology Policy and
Office of Management and Budget must present the President with a plan
in the next 18 months ensuring
that personal data digitally released by
the government to citizens is authenticated multiple times "so that
every citizen's personal
information is protected by the most secure
methods possible." The Executive Order also supports "algorithmic
In a related announcement of a summit on cybersecurity and consumer
protection, the White House stated, "The Summit will bring together
major stakeholders on consumer financial protection issues to discuss
how all members of our financial system can work together
protect American consumers and their financial data, now and in the
future," the White House says, further stating that
"The President will
also renew his call to Congress to enact overdue cybersecurity
legislation that will help protect Americans
- particularly by
clarifying companies' obligations when sensitive data is breached."
EPIC has endorsed many of the proposals set
forth in the Executive
Order. In 2011 testimony before the US House Committee on Financial
Services, EPIC president Marc Rotenberg
suggested the use of
"authentication by consumer-set passwords instead of biographic
identifiers like date of birth or social security
number; audit trails
that record all instances where a customer's record is accessed;
encryption of stored data; notice to the
affected individuals and the
relevant agency when there is a security breach; and limiting data
retention by either deleting call
records after they are no longer
needed or divorcing identification data from the transactional data."
EPIC has similarly advocated
for algorithmic transparency. In EPIC's
April 2014 comments to the Office of Science and Technology Policy on
the privacy threats
inherent in "Big Data," EPIC noted, "Because Big
Data has threatened individual privacy for many years, and the risks to
increase daily, it is imperative that this Administration
confronts Big Data problems expeditiously. Among the changes that are
needed, the law should be updated to guarantee algorithmic
transparency." Mr. Rotenberg also called for algorithmic transparency
before the OECD at the October 2014 Global Forum for the Knowledge
Economy in Tokyo.
The White House: EO on Consumer Financial
Transactions (Oct. 17, 2014)
The White House: Fact Sheet on Executive Order (Oct. 17, 2014)
EPIC: Comments on "Big Data and the Future of Privacy" (Apr. 4, 2014)
EPIC: Testimony before US House on Data Protection (Sep. 14, 2011)
EPIC: Congressional Testimony on Consumer Data Privacy (Jun. 15, 2011)
 EPIC Urges Transportation Department to Protect
EPIC has submitted comments to the National
Highway Traffic Safety
Administration, a component of the US Transportation Department, urging
the agency to protect driver privacy
for "vehicle-to-vehicle" (V2V)
technology, which transmits data between vehicles to prevent impending
crashes. EPIC's comments
highlight several privacy and security risks
in current V2V technology, particularly the systems' ability to
create, enrich, direct, and share digital information
between businesses, people, organization, infrastructures, and things,"
"'set[ting] the stage for extraordinarily targeted monitoring and
manipulation [of individuals].'"
NHTSA is in the initial stages
of mandating V2V technology. In August
2014, the National Highway Traffic Safety Administration issued an
Advance Notice of Proposed
Rulemaking and a research report on V2V.
The report acknowledged that "privacy considerations are critical to
the analysis underlying
NHTSA's decision about whether and, if so, how
to proceed with V2V research or regulation."
EPIC's comments urged NHTSA to "complete
a more detailed privacy and
security assessment of V2V communications" and to: "(1) not collect
[Personally Identifiable Information]
without the express, written
authorization of the vehicle owner; (2) ensure that no data will be
stored either locally or remotely;
(3) require end-to-end encryption of
V2V communications; (4) require end-to-end anonymity; and (5) require
auto manufacturers to
adhere to the Consumer Privacy Bill of Rights,"
a framework for consumer privacy released by the Obama White House in
2013, EPIC, joined by a coalition of consumer privacy organizations
and members of the public, urged NHTSA to protect driver privacy
establish similar privacy safeguards for automobile "black boxes."
EPIC: Comments to NHTSA on V2V Technology (Oct. 20, 2014)
NHTSA: Report on V2V Technology (Aug. 2014)
NHTSA: Advance Notice of Proposed Rulemaking (Aug. 20, 2014)
EPIC: Automobile Event Data Recorders (Black Boxes) and Privacy
 EPIC Recommends Research on 'Privacy Enhancing Technologies'
EPIC has submitted comments to the National Coordination
Networking and Information Technology Research and Development
following a September 2014 request for information on
Privacy Research Strategy. EPIC's comments recommend research on
Privacy Enhancing Technologies, or PETs, that "minimize
the collection of personally identifiable information." The comments
further express support for Fair Information
Practices and the White
House's Consumer Privacy Bill of Rights.
NITRD sought public input on "privacy objectives," "assessment
capabilities," a "multi-disciplinary approach" to "both strengthen
privacy and support innovation," and "privacy architectures."
comments point to a number of PETs that the agency can use to reduce or
eliminate the collection of Personally Identifiable
these PETs are implementing differential privacy protections, improving
anonymization, providing audit trails
of how data is used, and creating
standards for both reviewing and providing transparency when using
EPIC also encouraged NITRD to implement a privacy-preserving
architecture based on the Fair Information Practices, or FIPS. EPIC
stated that the Obama White House's 2012 Consumer Privacy Bill of
Rights, which is based on the FIPs and provides a comprehensive
framework for consumer privacy, is the best baseline set of privacy
protections for users and consumers. According to EPIC, the
"should focus on technology that facilitates the implementation of the
privacy protections listed in the CPBR."
in 2014, EPIC submitted comments on "Big Data and the Future of
Privacy" and has several times called for the end of opaque algorithmic
profiling. The White House's subsequent report on Big Data and the
Future of Privacy incorporated several recommendations from
other privacy organizations.
EPIC: Comments to NITRD re: RFI (Oct. 17, 2014)
NITRD: RFI - National Privacy Research Strategy (Sep. 18, 2014)
The White House: Consumer Privacy Bill of Rights (Feb. 2012)
The White House: Report on Big Data (May 1, 2014)
EPIC: Petition to OSTP re: Big Data Public Comments (Feb. 10, 2014)
EPIC: Comments on Big Data and the Future of Privacy (Apr. 4, 2014)
EPIC: Big Data and the Future of Privacy
 EPIC, 49 Other Organizations Urge Obama to Update
EPIC and a coalition of transparency and open government
written a letter to President Obama, urging him to update the Freedom
of Information Act. "Only statutory reform and your public commitment
to that reform will ensure the commitments you have made last beyond
the coalition wrote.
In early 2009, President Obama signed a memorandum pledging an
"unprecedented level of openness" in his Administration.
the memo, the President sought to ensure trust and establish a system
of transparency, public participation and collaboration.
To that end,
the President directed executive agencies to develop recommendations
for implementing the president's open government
The President's promise of an exceptionally open and transparent
government, wrote the coalition, continues to face numerous
As a result, the coalition identified six core components it believes
"at a minimum must be legislatively mandated
in order to achieve your
First, Congress must codify the presumption of disclosure in order to
by future administrations. "Without this mandate,"
wrote the groups, "the FOIA will continue to be subject to the
of whoever occupies the White House."
Second, Congress must also codify the foreseeable harm standard
mandated by the current
US Attorney General. Under this standard,
records are only withheld where disclosure would cause a foreseeable
harm to government
Third, government agencies must weigh the public interest when
withholding inter- and intra-agency memoranda under the
process privilege of FOIA exemption 5. This privilege, the coalition
argued, "continues to be significantly overused,
disserving the very
interests your memorandum commits to advance."
Fourth, information created 25 or more years before the date
of a FOIA
request should not be subject to FOIA exemption 5. "The FOIA should not
be used to bar the public's access to our nation's
history where the
passage of time has significantly eroded, if not eliminated altogether,
any valid governmental interest served
by secrecy," wrote the groups.
Fifth, Congress must amend the FOIA to prohibit agencies from charging
fees once the agencies have
missed statutory deadlines.
Finally, Congress must enhance and expand the role of the Office of
Government Information Services
to reflect and ensure the office's role
in streamlining the FOIA process and reducing FOIA litigation.
EPIC frequently uses the
FOIA to obtain government records on
against the Central Intelligence
Agency to obtain final reports from
the CIA's Inspector General on the agency's involvement in penetrating
the US Senate Intelligence
Committee's computer network.
EPIC et al.: Letter to President Obama re: FOIA (Oct. 23, 2014)
The White House: Memorandum on Transparency and Open Government
EPIC: Open Government
EPIC: FOIA Cases
EPIC: EPIC v. CIA
 EPIC Spotlight: Domestic Drones, Surveillance and
EPIC's "Spotlight on Surveillance" Project
returns to focus attention
on domestic drone surveillance. The 2012 FAA Modernization Act directed
the Federal Aviation Administration
to integrate drones into the
National Airspace System, immediately raising concerns about both
safety and privacy. The Act also
required the agency to conduct a
public rulemaking assessing public safety concerns, flight standards
and licensing and air traffic
requirements for drone use.
In response to Congress's mandate to the FAA, EPIC, joined by over 100
other organizations, experts
and members of the public, petitioned the
agency to address privacy in the integration process. "Drones greatly
increase the capacity
for domestic surveillance," stated the petition.
In February 2013, the Agency responded to EPIC's petition, announcing
"address [privacy issues] through engagement and collaboration
with the public." As a result, the FAA published a Notice with proposed
privacy requirements for drone operators. EPIC's comments recommended
that the FAA mandate the proposed privacy standards, which
are based on
the Fair Information Practices, and maintain a public database of all
drone operators. EPIC has also testified before
Congress in support of
drone privacy law.
Many drones have been outfitted with invasive surveillance equipment,
definition cameras, thermal and infrared imaging
and automated license plate readers. Domestic drone use has increased
in recent years; law enforcement units in Florida, Texas
and South Carolina have acquired drones for operational use. The US
of Customs and Border Protection operates nine Predator drones
along US borders. In late 2011, the Bureau found itself embroiled
controversy when it was reported that a drone was loaned to North
Dakota law enforcement to locate missing livestock.
the FAA has banned the commercial use of drones, the agency
has begun granting limited exemptions. In 2014 the FAA granted
to six movie and TV production companies. The agency is
currently considering another 40 requests from various commercial
including Amazon, Google and Domino's Pizza.
EPIC's Spotlight "Eyes in the Sky" examines the surveillance
capabilities of drone
technology and recommends comprehensive privacy
US Congress: FAA Modernization Act of 2012 (Feb. 14, 2012)
EPIC: Spotlight on Surveillance: "Eyes in the Sky" (Oct. 2014)
FAA: Press Release: Exemptions for Commercial Drones (Sept. 25, 2014)
EPIC et al.: Petition to FAA re: Drones (Feb. 24, 2012)
EPIC: Letter from FAA Chief Counsel to EPIC (Feb. 14, 2013)
EPIC: Comments to FAA on Drones and Privacy (Apr. 23, 2013)
EPIC: Congressional Testimony on Drones (Mar. 20, 2013)
 News in Brief
Supreme Court to Rule on Privacy of Hotel Records
The US Supreme Court has agreed to hear Los Angeles v. Patel, a
a local ordinance that allows police to inspect hotel
guest registries without a warrant or judicial supervision. A federal
court ruled in December 2013 that the LA law was "facially"
unconstitutional because the authority could violate the Fourth
The Court will consider both the scope of privacy
protections for hotel guests and whether the Fourth Amendment prohibits
that allow unlawful searches. This second issue has far-reaching
consequences because many recent laws authorize police searches
judicial review. To date, courts have only considered "as applied"
challenges on a case-by-case basis. EPIC will likely
file a "friend of
the court" brief with the Supreme Court in support of the lower court's
US Supreme Court: Certiorari
in Los Angeles v. Patel (Oct. 20, 2014)
EPIC: Los Angeles v. Patel
Ninth Circuit Court: Opinion in Los Angeles v. Patel (Dec. 24, 2013)
EPIC: Amicus Curiae Briefs
New Report Reviews Progress on Signals Intelligence Reform
The Office of the Director of National Intelligence has released the
first report on the implementation of Presidential Policy Directive 28.
In January 2014, the President proposed a revised policy
signals intelligence. Under the revised directive, PPD-28, intelligence
agencies are required to "review and update"
their policies and
"establish new ones as necessary" to safeguard personal information
collected through signals intelligence.
Signals intelligence activities
must also be "as tailored as feasible," and there must be limitations
on the querying, use, dissemination
and retention of personal
information. The report states that all intelligence agencies must have
PPD-28 in place by January 17,
2015, one year after the President's
speech. In 2013, EPIC challenged the NSA's bulk collection of domestic
and international call
detail records. EPIC has also filed Freedom of
Information Act requests with the NSA and other intelligence agencies,
seeking disclosure of current procedures regarding surveillance
under Executive Order 12333.
ODNI: "Safeguarding the Personal Information of All People" (July 2014)
The White House: Press Release on PPD-28 (Jan. 17, 2014)
The White House: Remarks on Signals Intelligence (Jan. 17, 2014)
EPIC: In re EPIC (NSA)
EPIC: FOIA Request to NSA re: EO 12333 (Jul. 31, 2014)
EPIC: EO 12333
FCC Levies $10M Fine Against Carriers for Breach of Consumer Privacy
The Federal Communications Commission has announced
largest privacy fines to date. The FCC's first data security case stems
from an investigation of mobile service carriers
TerraCom and YourTel
America, which "stored Social Security numbers, names, addresses,
driver's licenses and other sensitive information
belonging to their
customers on unprotected Internet servers that anyone in the world
could access." The carriers will be fined
$10M for their breach of
consumer privacy. This decision follows the FCC's $7.4M settlement with
Verizon over privacy violations.
In 2013, EPIC urged the FCC to
determine whether Verizon violated the Communications Act when it
released consumer call detail
information to the National Security
Agency. In 2007, in response to a 2005 EPIC petition, the FCC
strengthened privacy protections
for telephone records, which EPIC also
defended in a "friend of the court" brief for the DC Circuit,
ultimately establishing support
for opt-in privacy safeguards.
FCC: Press Release on Mobile Carrier Settlement (Oct. 24, 2014)
FCC: Text of Verizon Settlement (Sep. 2, 2014)
EPIC: Letter to FCC re: Verizon (Nov. 15, 2013)
EPIC: Petition to FCC re: CPNI (Aug. 2005)
FCC: Ruling on Telephone Record Privacy (Apr. 2, 2007)
EPIC: "Friend of the Court" Brief in NCTA v. FCC (May 6, 2008)
EPIC: NCTA v. FCC (Concerning Privacy of CPNI)
In re EPIC (NSA Telephone Records Surveillance)
Senator Rockefeller Questions Whisper About Privacy Practices
Senator Jay Rockefeller (D-WV) has asked Whisper.sh,
an app and website
where users can post anonymously, to answer several questions about the
company's practices and policies. Whisper
claims it does not track
users and that it respects users' decisions to opt out of
geolocational tracking. But newspaper The Guardian
has revealed that
Whisper tracks "the precise time and approximate location of all
messages" and specifically tracks certain users
the company deems
"newsworthy." Senator Rockefeller, chair of the Senate Committee on
Commerce has asked Whisper to explain its
tracking, data retention and
disclosure practices. EPIC has several similar matters pending before
the Federal Trade Commission.
Sen. Jay Rockefeller (D-WV): Letter to WhisperText (Oct. 22, 2014)
The Guardian: "Revealed: how Whisper app tracks 'anonymous' users"
(Oct. 6, 2014)
US Senate Commerce Committee
EPIC: In re WhatsApp
 EPIC in the News
"EPIC: driver data shared via V2V technology needs protection." SC
Magazine, Oct. 23, 2014.
"Big Data Research Effort Faces Student-Privacy Questions." GovTech,
Oct. 23, 2014.
"FTC Snags Soltani for Chief Technologist Role." ECommerce Times, Oct.
"Your Car Won't Start. Did You Make The Loan Payment?" Montana Public
Radio, Oct. 21, 2014.
"Supreme Court to decide if cops can access hotel registries without
warrants." Ars Technica, Oct. 21, 2014.
"Personalized Learning Pits Data Innovators Against Privacy Advocates."
Education Week, Oct. 20, 2014.
"Push for 'Learner Profiles' Stymied by Barriers." Education Week,
Oct. 20, 2014.
"Charlotte police investigators secretly track cellphones." Charlotte
Observer, Oct. 18, 2014.
"Privacy experts call for Whisper to be investigated over tracking of
some users." The Guardian, Oct. 17, 2014.
"FBI head concerned over Apple and Google encryption." NPR's
"Marketplace," Oct. 17, 2014.
"A Look Behind the Snapchat Photo Leak Claims." The New York Times,
Oct. 17, 2014.
For More EPIC in the News: http://epic.org/news/epic_in_news.html
 EPIC Bookstore
"Litigation Under the Federal Open Government Laws 2010," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, Ginger McCall,
Mark S. Zaid (EPIC 2010). Price: $75.
Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
This updated version includes new material regarding President Obama's
2009 memo on Open Government, Attorney General Holder's
March 2009 memo
on FOIA Guidance, and the new executive order on declassification. The
standard reference work includes in-depth
analysis of litigation under:
the Freedom of Information Act, the Privacy Act, the Federal Advisory
Committee Act, and the Government in the Sunshine Act. The fully updated
2010 volume is the
25th edition of the manual that lawyers, journalists
and researchers have relied on for more than 25 years.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005).
This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive
for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights
2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more
involved in the
"The Privacy Law Sourcebook 2004: United States Law, International
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:
The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world.
It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD
Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the
Video Voyeurism Prevention Act, and the
"Filters and Freedom 2.0: Free Speech Perspectives
on Internet Content
Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.
EPIC publications and other books on privacy, open government, free
expression, and constitutional values can be ordered at:
EPIC Bookstore: http://www.epic.org/bookstore
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained
from government agencies under the
Freedom of Information Act.
Subscribe to EPIC FOIA Notes at:
 Upcoming Conferences and Events
"#FOIAat40." Speakers: EPIC President Marc Rotenberg and EPIC
Administrative Law Counsel Khaliah Barnes. Washington, DC:
Law Center, October 30, 2014. For More Information:
Maine Judicial Conference. Speaker: EPIC Associate Director Ginger
McCall. Rockport, ME: October 30-31, 2014. For More Information:
"Bird's Eye View: Transatlantic Data Exposures and Regulatory
Enforcement." Speaker: EPIC Associate Director Ginger McCall.
AZ: Privacy XChange Forum, November 3, 2014. For More
"FUSION: Rise Up." Speaker: EPIC President Marc Rotenberg. Washington,
DC: November 19, 2014. For More Information:
Join EPIC on Facebook and Twitter
Join the Electronic Privacy Information Center on Facebook and Twitter:
Start a discussion on privacy. Let us know your thoughts. Stay up to
date with EPIC's events. Support EPIC.
The EPIC Alert mailing list is used only
to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend
to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address
from this list,
please follow the above instructions under "subscription
The Electronic Privacy Information Center is
a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues
such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale
of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.orgor write
EPIC, 1718 Connecticut Ave. NW, Suite
200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718
Connecticut Ave. NW, Suite
200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government and private-sector
infringement on constitutional values.
Subscribe/unsubscribe via web interface:
Back issues are available at: http://www.epic.org/alert
The EPIC Alert displays best in a fixed-width font, such as Courier.
------------------------- END EPIC Alert 21.20------------------------